Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2023-5553
Publication date:
21/11/2023
During internal Axis Security Development Model (ASDM) threat-modelling, a flaw was found in the protection for device tampering (commonly known as Secure Boot) in AXIS OS making it vulnerable to a sophisticated attack to bypass this protection. To Axis' knowledge, there are no known exploits of the vulnerability at this time. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.
Severity CVSS v4.0: Pending analysis
Last modification:
10/06/2025

CVE-2023-4149
Publication date:
21/11/2023
A vulnerability in the web-based management allows an unauthenticated remote attacker to inject arbitrary system commands and gain full system control. Those commands are executed with root privileges. The vulnerability is located in the user request handling of the web-based management.
Severity CVSS v4.0: Pending analysis
Last modification:
29/11/2023

CVE-2023-4424
Publication date:
21/11/2023
An malicious BLE device can cause buffer overflow by sending malformed advertising packet BLE device using Zephyr OS, leading to DoS or potential RCE on the victim BLE device.
Severity CVSS v4.0: Pending analysis
Last modification:
29/11/2023

CVE-2023-21417
Publication date:
21/11/2023
Sandro Poppi, member of the AXIS OS Bug Bounty Program,<br /> <br /> has found that the VAPIX API manageoverlayimage.cgi was vulnerable to path traversal attacks that allows for file/folder deletion. This flaw can only be exploited after authenticating with an operator- or administrator- privileged service account. The impact of exploiting this vulnerability is lower with operator service accounts and limited to non-system files compared to administrator-privileges.<br /> Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.
Severity CVSS v4.0: Pending analysis
Last modification:
08/11/2024

CVE-2023-21418
Publication date:
21/11/2023
Sandro Poppi, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API irissetup.cgi was vulnerable to path traversal attacks that allows for file deletion. This flaw can only be exploited after authenticating with an operator- or administrator-privileged service account. The impact of exploiting this vulnerability is lower with operator service accounts and limited to non-system files compared to administrator-privileges. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.
Severity CVSS v4.0: Pending analysis
Last modification:
08/11/2024

CVE-2023-46935
Publication date:
21/11/2023
eyoucms v1.6.4 is vulnerable Cross Site Scripting (XSS), which can lead to stealing sensitive information of logged-in users.
Severity CVSS v4.0: Pending analysis
Last modification:
10/08/2024

CVE-2023-21416
Publication date:
21/11/2023
Sandro Poppi, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API dynamicoverlay.cgi was vulnerable to a Denial-of-Service attack allowing for an attacker to block access to the overlay configuration page in the web interface of the Axis device. This flaw can only be exploited after authenticating with an operator- or administrator-privileged service account however the impact is equal. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.
Severity CVSS v4.0: Pending analysis
Last modification:
08/11/2024

CVE-2023-45886
Publication date:
21/11/2023
The BGP daemon (bgpd) in IP Infusion ZebOS through 7.10.6 allow remote attackers to cause a denial of service by sending crafted BGP update messages containing a malformed attribute.
Severity CVSS v4.0: Pending analysis
Last modification:
29/11/2023

CVE-2023-42770
Publication date:
21/11/2023
<br /> Red Lion SixTRAK and VersaTRAK Series RTUs with authenticated users enabled (UDR-A) any Sixnet UDR message will meet an authentication challenge over UDP/IP. When the same message is received over TCP/IP the RTU will simply accept the message with no authentication challenge.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
29/11/2023

CVE-2023-6142
Publication date:
21/11/2023
Dev blog v1.0 allows to exploit an XSS through an unrestricted file upload, together with a bad entropy of filenames. With this an attacker can upload a malicious HTML file, then guess the filename of the uploaded file and send it to a potential victim.
Severity CVSS v4.0: Pending analysis
Last modification:
19/05/2025

CVE-2023-6144
Publication date:
21/11/2023
Dev blog v1.0 allows to exploit an account takeover through the "user" cookie. With this, an attacker can access any user&amp;#39;s session just by knowing their username.<br />
Severity CVSS v4.0: Pending analysis
Last modification:
29/11/2023

CVE-2023-40151
Publication date:
21/11/2023
<br /> <br /> <br /> When user authentication is not enabled the shell can execute commands with the highest privileges. Red Lion SixTRAK and VersaTRAK Series RTUs with authenticated users enabled (UDR-A) any Sixnet UDR message will meet an authentication challenge over UDP/IP. When the same message comes over TCP/IP the RTU will simply accept the message with no authentication challenge.<br /> <br /> <br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
29/11/2023
Subscribe to Vulnerabilities